Monthly Archives: July 2013

Seminar and Workshop Reg

Hey gang, we are pushing Seminar and Workshop Reg to Aug 11th since we still need to firm up our program. We will make an announcement once we have it up. Thanks for patients!

-the ToorCon Cr3w

Seminar and Workshop Reg

Hey gang, we are pushing Seminar and Workshop Reg to Aug 11th since we still need to firm up our program. We will make an announcement once we have it up. Thanks for patients!

-the ToorCon Cr3w

What Dev’s Need to Know About Securty? Try What Security Needs to Know About Devs

Being one of the few devs with an interest in security, I have seen quite a few rants on what developers need to learn from the infosec profession. Yet most of these talks are given at security conferences. Out of the few dev conferences, I can count the number of security talks on one hand, and even then it ended up being a walkthrough of the top 10 OWASP vulnerabilities website. This has got to change, and hope to shed some insight or a few WTF moments.

Renaissance coder, tinkerer, musician, brewer, and pilot.

Weaponizing your coffee pot

As SoC price continue to drop and their implementation continues to rise, embedded “appliances” will be become an attractive avenue for cyber criminals. Due to the fact they provide no traditional feedback (monitor) or input (mouse/keyboard) If one were able to compromise an embedded host it would be the perfect vantage point for a MITM attack or a beachhead to launch other attacks. I plan to guide you through some of the steps from initial reconnaissance to building binaries for different architectures. Then end goal being to take over the host without breaking designed functionality (stealthy), being able to run third party binaries at start (lethal), and surviving basic removal techniques (persistent) aka weaponizing. As part of this walkthrough I will be guiding you through the exploitation of the Belkin WeMo light switch appliance.

Daniel Buentello
I majored in computer science and became a network engineer. I found passion in security and like to perform research in my spare time.

The 20-minute simple SQL rootkit

As Microsoft SQL Server has progressed, the security features and facilities have greatly matured. Unfortunately, the functionality of the service has also gone to great lengths to facilitate the programmability of the service by administrators and operators. This talk demonstrates how to use the latest version of SQL server and the default functionality of both SQL and Windows, to create, install, and hide a SQL service rootkit – all in 20 minutes.

Career pen-tester with a talent for breaking SQL – still hates being called, “The SQL guy.”

securing the S4

this is my 1st android (jelly bean) with my first app install i was appalled at all the access to my phone’s data that it wanted, nothing for free, eh? so, can you sanbox android apps even if they think they need access to my SIM, contacts, data on miniSD card, WFT. had to take control of my own device and this is how i did it

….experience flashing the ROM with custom kernel & getting rid of samsung+ATT bloatware on a new phone.

also included is backing up original device/ROM so i can restore it when needed/necessary :)

how to change the MAC address on it. setting up a VPN tunnel and a TOR APP. how to secure android in general

steven is an artist/computer wizard who loves computer security, keeping things secret, and freely using any device/os in any manner desired

Quantum Computers and Crypto

1. What are quantum computers?
2. How do they work?
3. Current Technology Situation
4. Programming a Quantum Computer
5. The 20 Questions Algorithm
6. Crypto which resists a Quantum Computer

Dave D’Rave
Downloaded the password file from a 360/67 in 1974.

Invented the “20 Questions” algorithm for quantum computers.

Still using Ubuntu.

Took the “Quantum Computers” seminar at UCSD. Audited “Quantum Computers” and “Photonic Crystals” at Stanford.

Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust

The US National Security Agency has been public about the inevitability of mobile computing and the need to support cloud-based service use for secret projects. General Alexander, head of the NSA, recently spoke of using smartphones as ID cards on classified networks.

And yet, mobile devices have a poor security track record, both as data repositories and as sources of trustworthy identity information. Cloud services are no better: current security features are oriented toward compliance and not toward real protection.

What if we could provide a strong link between mobile device identity, integrity, and the lifecycle of data retrieved from the cloud using only the hardware shipped with modern smartphones and tablets?

The good news is that we can do that with the trusted execution environment (TEE) features of the common system on a chip (SOC) mobile processor architectures using “measurement-bound” encryption. This talk will describe how data can be encrypted to a specific device, how decryption is no longer possible when the device is compromised, and where the weaknesses are. I will demonstrate measurement-bound encryption in action. I will also announce the release of an open-source tool that implements it as well as a paper that describes the techniques for time-bound keys.

This is likely the very same way that NSA will be protecting the smartphones that will be used for classified information retrieval. Come learn how your government plans to keep its own secrets and how you can protect yours.

Dan Griffin
Dan is the founder of JW Secure and is a Microsoft Enterprise Security MVP. Dan is the author of the books Cloud Security and Control, published in 2012, and The Four Pillars of Endpoint Security, to be published in 2013, and is a frequent conference speaker. Dan holds a Master’s degree in Computer Science from the University of Washington and a Bachelor’s degree in Computer Science from Indiana University.